This topic describes the features available in Security Analytics Services Stats view for Malware Analysis.
The Services Stats view provides a way to monitor the status and operations of a service.
To access the Service Stats view for Malware Analysis:
- In the Security Analytics menu, select Administration > Services.
The Services view is displayed.
- Select a service and select > View > Stats.
The following figure shows the Services Stats view for Malware Analysis. The default tab is the Events tab.
The following figure shows the Analysis Threads tab.
The Services Stats view for Malware Analysis has two tabs:
- Events tab
- Analysis Threads tab
The Events tab contains the Timeline chart, which displays the number of events at various times throughout the day.
The following table describes the features of the Events tab.
|Time Range drop-down menu||This menu offers different options for the time range shown on the graph. You can choose a custom time range by selecting Custom and choosing a start and end date from the drop-down menus.|
|Plot area||Each type of event is represented by a different color on the graph. You can zoom in on sections of the graph by clicking and dragging to select the section you want to see closer.|
|Event Type key||At the bottom of the tab, the types of events shown in the plot area are displayed, with their respective line colors. For example, the Network line is green, and the On Demand line is purple. To disable any of the options from appearing in the chart, click the option. It is grayed out and its line is removed from the graph.|
Analysis Threads Tab
Malware Analysis is capable of analyzing many files simultaneously, each represented by a thread. Each file goes through a linear process when it is analyzed:
- Network meta analysis
- Request file from Decoder
- Community (if enabled)
- Sandbox (if enabled)
This tab gives you the status of each thread to see where the file is currently residing in the analysis process. Thread statuses are sorted by the type of file analysis, which is the method in which Malware Analysis received the file, such as a Network session, Manually Uploaded file, or an On Demand scan.
This is useful particularly for finding which part of analysis is the limiting factor for time. For example, you might go to the tab and see all 20 threads Requesting Files from NextGen. This means the Decoder is having problems or is overwhelmed, and cannot deliver quickly.
If threads have not updated their status for long periods of time, it may indicate that Malware Analysis is stuck.
The following table provides descriptions of the list columns.
|Last Updated||The most recent date and time when the thread updated.|
|Session Id||The ID number of the session.|
|Status||The status of the file analysis.|
|File Name||The name of the file being analyzed.|
|File Hash||The hash of the file being analyzed.|